% Created 2021-04-09 Fri 18:51 % Intended LaTeX compiler: pdflatex \documentclass[presentation]{beamer} \usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{graphicx} \usepackage{grffile} \usepackage{longtable} \usepackage{wrapfig} \usepackage{rotating} \usepackage[normalem]{ulem} \usepackage{amsmath} \usepackage{textcomp} \usepackage{amssymb} \usepackage{capt-of} \usepackage{hyperref} \usepackage{tabu} \usepackage{minted} \usepackage[english]{babel} \hypersetup{pdfauthor="Vasilij Schneidermann", pdftitle="Towards a better Duckyscript toolchain", colorlinks, linkcolor=, urlcolor=blue} \setminted{fontsize=\footnotesize,escapeinside=||} \usetheme{Rochester} \usecolortheme[RGB={87,83,170}]{structure} \author{Vasilij Schneidermann} \date{April 2021} \title{Towards a better Duckyscript toolchain} \hypersetup{ pdfauthor={Vasilij Schneidermann}, pdftitle={Towards a better Duckyscript toolchain}, pdfkeywords={}, pdfsubject={}, pdfcreator={Emacs 27.2 (Org mode 9.4.4)}, pdflang={English}} \begin{document} \maketitle \begin{frame}{Outline} \tableofcontents \end{frame} \AtBeginSection{\frame{\sectionpage}} \section{Intro} \label{sec:org0bf03e3} \begin{frame}[label={sec:org860d8d1}]{About} \begin{itemize} \item Vasilij Schneidermann, 28 \item Cyber security consultant at msg systems \item mail@vasilij.de \item \url{https://depp.brause.cc} \item \url{https://emacsninja.com/} \end{itemize} \end{frame} \begin{frame}[label={sec:org4f35eae}]{Legal disclaimer} \begin{itemize} \item The contents of this talk are of purely educational nature \item I do not condone usage of any technology presented to hack other people's computers unless with their explicit permission \item Germany has the so-called "Hackerparagraph" which intends to punish people who write software enabling a hacking attempt, but can be interpreted as disincentive to publish hacking tools \item I do not believe this tool to enable attacks that wouldn't have been possible previously, as it merely improves the tooling landscape for those crazy enough to use CHICKEN Scheme, but still\ldots{} \end{itemize} \end{frame} \begin{frame}[label={sec:org428d10b}]{Previously, at SecCamp 2019} \begin{itemize} \item I've attended an infosec event \item Everyone was handed out a free Digistump Digispark \item I visited the corresponding workshop \item We learned how to weaponize the microcontroller into a USB device sending keystrokes to control the computer \item It was fun and I bought an extra device, for further experimentation \end{itemize} \end{frame} \begin{frame}[label={sec:org0222adb}]{Motivation} \begin{itemize} \item The workshop was cool, but most time was spent messing around with toolchains until we got something running \item Recurring theme at workshops \item I had to use three tools in succession to arm the device with a new payload: \begin{itemize} \item Official encoder from Duckyscript to binary (Java) \item Inofficial translator from binary to Arduino sketch \item Arduino IDE to compile and deploy code \end{itemize} \item Can it be done better? \item Can it support keyboard customizations? \item Can it help you with debugging? \end{itemize} \end{frame} \begin{frame}[label={sec:orgc658363}]{Motivation} \begin{itemize} \item Pranks \item Security assessment (USB stick in the car lot) \item Actual hacking (insert prepared USB stick into unattended computers, collect information, reconfigure machine) \end{itemize} \end{frame} \begin{frame}[label={sec:orgfef0b67}]{In the news} \begin{quote} Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified. The analysis is ongoing but still inconclusive, he said. \end{quote} \url{https://www.miamiherald.com/news/politics-government/article228963409.html} \end{frame} \begin{frame}[label={sec:org3ce81cb},fragile]{Demo} \begin{minted}[]{basic} DEFAULT_DELAY 500 REM open terminal WINDOWS ENTER STRING cat > /dev/null ENTER DEFAULT_DELAY 1500 STRING_DELAY 30 Wake up, Neo... ENTER STRING_DELAY 50 The Matrix has you... ENTER STRING_DELAY 30 Follow the white rabbit. ENTER STRING Knock, knock, Neo. ENTER CONTROL d CONTROL d \end{minted} \end{frame} \begin{frame}[label={sec:org5432941},fragile]{Demo} \begin{minted}[]{bash} $ plucky -i matrix.duck -o keyboard.c $ make $ make deploy \end{minted} \end{frame} \section{State of Duckyscript toolchains} \label{sec:org6e3f4e3} \begin{frame}[label={sec:orgfd68b27}]{Official toolchain} \begin{itemize} \item Available at \url{https://github.com/hak5darren/USB-Rubber-Ducky} \item No license (who needs them anyway) \item Designed for original hardware only \item Many third-party payloads: \begin{itemize} \item \url{https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads} \item \url{https://ducktoolkit.com/userscripts} \end{itemize} \end{itemize} \end{frame} \begin{frame}[label={sec:org0e54ad1},fragile]{Inofficial toolchains} \begin{itemize} \item \url{https://github.com/mame82/duck2spark} \item No license (sense a theme?) \item Workflow (taken from README): \begin{itemize} \item \texttt{echo "STRING Hello World" > test.duck} \item \texttt{java -jar encoder.jar -i test.duck -o raw.bin -l de} \item \texttt{./duck2spark.py -i raw.bin -l 1 -f 2000 -o sketch.ino} \item Replace sketch contents with generated script \item Compile and deploy \item Try out payload \end{itemize} \end{itemize} \end{frame} \begin{frame}[label={sec:org682f596}]{Improvement chances} \begin{itemize} \item One tool, not three \item Fast iteration cycles \item Keyboard customization \item Debugging capabilities \item Supporting both original and custom hardware \item Yet: Behavior parity \end{itemize} \end{frame} \section{The BASIC rundown} \label{sec:org76cde36} \begin{frame}[label={sec:orgfe47627}]{USB in general} \begin{itemize} \item USB does tons of stuff, tricky to make sense of \item We want this: \url{https://en.wikipedia.org/wiki/USB\_human\_interface\_device\_class} \item USB HID supports keyboards, mice, game controllers \item There's a standardized list of 256 USB HID codes \item Orthogonal: Mapping to keyboard hardware, OS customizations \item A device sends out USB HID codes with optional modifiers representing key events \item Bonus: The device doesn't need to be a keyboard to do that \item Can be legitimate (barcode scanner) and illegitimate (Rubberducky) \end{itemize} \end{frame} \begin{frame}[label={sec:org0598386},fragile]{Keyboards in general} \begin{itemize} \item USB HID codes try to be a superset of all possible keys \item Keyboard layout is mapped to these USB HID codes \item Sometimes the mapping is less obvious (ä on QWERTZ maps to \texttt{KEY\_APOSTROPHE}) \item The OS can implement remapping (swapping modifiers, dead keys, alternative layout key) \item Modifiers can be both modifiers (\texttt{KEY\_MOD\_LCTRL}) and standalone keys (\texttt{KEY\_LEFTCTRL}) \item Fun fact: \texttt{KEY\_MEDIA\_COFFEE} is a thing \end{itemize} \end{frame} \begin{frame}[label={sec:orgc0e88d9}]{Duckyscript hardware} \begin{itemize} \item USB stick \item Storage to save exfiltrated data to \item Flashed with logic to execute compiled payload \item Price point: 50€ \end{itemize} \end{frame} \begin{frame}[label={sec:orgd067ae9}]{Duckyscript logic} \begin{itemize} \item Program is represented as a stream of bytes \item Every two bytes are either a (modifier) key press or delay \item Key press: Modifier byte and key byte \item Delay: Delay length and zero byte \end{itemize} \end{frame} \begin{frame}[label={sec:org01b57dc}]{Digistump Digispark hardware} \begin{itemize} \item General-purpose microcontroller \item Bare board with USB plug \item Not quite USB stick form factor \item Attiny 85 (AVR) \item Little RAM, ROM, no storage \item Price point: 3€ \end{itemize} \end{frame} \begin{frame}[label={sec:org0daabf2}]{Microcontroller programming} \begin{itemize} \item Harvard architecture: Code separate from data \item Hello world: Making a LED blink \item Your code is not expected to exit \item No OS, no dynamic linking, few abstractions \item Simple solutions are key \item No USB support: Bitbanging \end{itemize} \end{frame} \begin{frame}[label={sec:orgd218fd1}]{Microcontroller challenges} \begin{itemize} \item Arduino code turns out to be C++ \item Refactoring the C++ code into standalone C \item Updating the usbdrv/vusb library \item Initialization \item Waiting for time to pass \item Flash memory access (C is far from ideal for Harvard architectures) \item Figuring out how keys are encoded \item Size optimization \end{itemize} \end{frame} \section{Compiling Duckyscript} \label{sec:org08c72b4} \begin{frame}[label={sec:org3481ff0},fragile]{Duckyscript language} \begin{itemize} \item \texttt{REM comment} \item \texttt{[MODIFIER] KEY} \item \texttt{STRING hello} \item \texttt{STRING\_DELAY 20 hello again} \item \texttt{DELAY 100} \item \texttt{REPEAT 3} \item \texttt{DEFAULTDELAY 100} \end{itemize} \end{frame} \begin{frame}[label={sec:org3eca255}]{Implementation strategy} \begin{itemize} \item Tokenize \item Parse with a stateful loop \item Generate key press/delay commands \item Verify for errors \item Translate into binary/C code \item Testing \end{itemize} \end{frame} \begin{frame}[label={sec:org00d3c9b}]{Tokenization and parsing} \begin{itemize} \item I used comparse initially, but it turned out to be overkill for a poorly specified language \item Irregex far better for this, but it's easy to mess up \item Big complicated regexp per line: Slow, hard to understand \item Dispatching on first space-separated token: Fast \end{itemize} \end{frame} \begin{frame}[label={sec:orgeabd837},fragile]{Command generation} \begin{itemize} \item Keep track of default delay and last command \item Insert default delay after \texttt{STRING}, \texttt{STRING\_DELAY} and key commands \item Insert last command repeatedly for \texttt{REPEAT} command \item Break down \texttt{STRING} and \texttt{STRING\_DELAY} into repeated key presses (with delay if requested) \item Break down key combinations into modifiers and keys \item Break down delays if needed (delay can be 255ms maximum) \end{itemize} \end{frame} \begin{frame}[label={sec:orgfeb446e},fragile]{Code generation} \begin{itemize} \item I initially tried using \texttt{fmt-c}, but it turned out to be overkill \item Now: Template string, with \texttt{@identifier@} placeholders \item No template logic though, hardcoded replacements \item Keys are translated to preprocessor macro names \end{itemize} \end{frame} \begin{frame}[label={sec:org05f5338}]{Compiler customization} \begin{itemize} \item Hard to turn C code into binary format \item Sometimes the compiler behaves different from the official one \item Multi-pass approach necessary: Dumping output after each stage \item At the last stage: Decision whether to emit binary or C code \end{itemize} \end{frame} \begin{frame}[label={sec:org5e7b3d8}]{Naming woes} \begin{itemize} \item Everything in the code was called a key \item I let the project sit for almost two years \item Wrote a design document clarifying terms \item Refactored to these names, then adjusted logic \item It works now, tests are broken though\ldots{} \end{itemize} \end{frame} \begin{frame}[label={sec:orgb30032b}]{Test corpus prep} \begin{itemize} \item This slide left blank for legal reasons \end{itemize} \end{frame} \begin{frame}[label={sec:orgde5ed82},fragile]{Unit testing} \begin{minted}[]{scheme} (when (not (get-environment-variable "TEST_MODE")) (main)) \end{minted} \end{frame} \begin{frame}[label={sec:orge344fa1},fragile]{Unit testing} \begin{minted}[]{scheme} (set-environment-variable! "TEST_MODE" "1") (include "../plucky.scm") (test-group ...) (test-exit) \end{minted} \end{frame} \begin{frame}[label={sec:org241e9c6}]{E2E testing} \begin{itemize} \item Wrote helper scripts to convert corpus to binary format with official encoder \item Wrote another test script to convert corpus to binary format with my compiler \item Test script compares the outputs and fails if a difference has been found \item Similar approach could be taken for decompilation \end{itemize} \end{frame} \section{Outro} \label{sec:orgd94449a} \begin{frame}[label={sec:orgc0140bf}]{What next?} \begin{itemize} \item Fixing tests \item Decompilation \item Behavior parity \item Actually using it \end{itemize} \end{frame} \begin{frame}[label={sec:org25410c0}]{Questions?} \end{frame} \end{document}